Background
The U.S. Postal Service’s Corporate Information Security Office (CISO) plays a pivotal role in safeguarding data and assets of one of the largest and most critical networks in the nation. The Postal Service network links more than 31,000 facilities and connects more than 653,000 employees and hundreds of systems for the efficient processing and delivery of mail to everyone living in the U.S. and its territories. Staffing challenges such as an increasing demand for cybersecurity professionals with a limited applicant pool and recruiting and retaining a skilled CISO workforce are crucial for the Postal Service to overcome and protect its network and information resources against evolving cyber threats. Effective workforce planning is essential to addressing these challenges.
What We Did
Our objective was to determine whether the CISO is adequately staffed by assessing recruitment, retention, and performance measurements. For this audit, we reviewed the CISO workforce and strategic staffing activities for fiscal year (FY) 2021 through FY 2023 and interviewed headquarters personnel.
What We Found
Although the CISO workforce remained stable with low turnover in FY 2023, and while it maintains well-defined job roles and monitors some workforce related metrics, we could not determine whether the CISO is adequately staffed because the CISO leadership had not established necessary elements of an effective workforce planning process to ensure personnel are qualified to meet the organization’s mission and strategic goals. Specifically, we found that the CISO leadership did not document key components of a workforce plan to ensure ongoing initiatives aligned to strategic goals, despite highlighting recruitment and retention as a goal in its five-year strategic plan. The CISO leadership did not believe there was a need for formal documentation of a workforce plan and stated that workforce planning information is documented in current strategic planning and budgeting activities. Additionally, the CISO leadership stated that they have the ability to determine when to continue or end workforce initiatives.
Recommendations
We recommended management establish and document a workforce plan and develop a process to track employee and contractor training and certifications to monitor progress toward addressing the skills gaps identified in periodic skills assessments.